Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4006 Source: smtpsvc

Source
Level
Description
Message delivery to the host ""<ip address>"" failed while delivering to the remote domain ""<domain name>"" for the following reason: <error description>.
Comments
 
Windows 2003 SP2 with a Virtual SMTP Server running as part of IIS, dropping emails to an Exchange server.

Errors included:
The semapohore timeout period has expired.
The connection was dropped by the remote host.

SMTP Log on this server showed the connection timing out "451+Timeout+waiting+for+client+input 0 0 36 0 180985 SMTP"

Everything had worked fine until an upgrade of Sunbelt Vipre Enterprise Client was pushed out without realizing the email scanner option had been turned on.

I disabled the Email scanner and did an IISRESET from a command prompt and our emails immediately began flowing again.
This error was presenting when sending to a specific domain. This domain had very strict reverse DNS lookup mail checking. Our emails were sending as 'sender@server.domainname.com', but the 'from' address was 'sender@domainname.com'. This caused the receiving server to blacklist the email, and return the SMTP 550 error that generated the 4006 event. Updating our DNS PTR records as well as configuring the SMTP DNS name correctly in IIS fixed the error.
EV100350 (Troubleshooting IIS SMTP) provides some basic suggestions on how to troubleshoot IIS-based SMTP issues.
Error: An SMTP protocol error occurred - See ME895853 for information on how to troubleshoot mail relay issues in Exchange Server 2003 and in Exchange 2000 Server.
I corrected this error by adding in a Smart Host our Exchange serverís FQDN. Go to IIS Manager -> Default SMTP Virtual Server -> Properties -> Delivery -> Advanced -> Smart Host.


On a Windows 2003 SP1 running an independent SMTP service under Inetinfo (i.e. no Exchange), after having re-installed the Symantec Antivirus Client version 10.0.0.359, as the former instance did not work correctly anymore, we got these errors (falsely marked warnings, as the mails were never sent). There are several possibilities to resolve this problem as per ME919091.
Our problem was solved by disabling "Internet E-mail Auto-protect" in the Symantec Antivirus Client.
Another possible reason for this event's occurrence is "Greylisting". See the link below.
As per Microsoft: "After you configure your Microsoft Windows Small Business Server 2003-based computer to send and to receive Internet e-mail, you cannot successfully send e-mail messages through the SmallBusiness Simple Mail Transfer Protocol (SMTP) connector. The e-mail messages remain in the outgoing mail queue. Additionally, if you configure diagnostic logging for the MSExchangeTransport service, this event may appear in the Application log". See ME827601 to fix this problem.

From a newsgroup post: "I called MS tech support and the solution is to disable the antivirus email scanning and to exclude the \Inetpub and %systemroot%\system32\inetsrv from any real time virus scanning. The tech said most antivirus products cause this type of problem with Exchange and IIS".

From a newsgroup post: "The solution ended up being to put the IP address of the IIS Server in it's SMTP Server's list of allowed Relay hosts. Just so it is clear what I did (the IIS Server that hosts the ASP code has an IP address of 192.168.168.25):  

1. I went to the IIS Admin MMC, went to the SMTP Server properties -> Access
-> Relay
2. I chose "Only the list below" and added 192.168.168.25 to the list
3. I left the bottom checkbox checked that talks about authenticated users
4. Hit OK and mail immediately was delivered".
After following the instructions in ME292278 and setting the firewall so that it was blocking port 25, the problem ceased to reappear in my case.
See the link to "EventID 4006 from source MSExchangeTransport" for information on this event.

Additional information can be found in McAfee Solution ID: kb41777. Go to the "McAfee Knowledge Search" page and search for the specified solution.
One cause of this event`s appearance could be your firewall blocking port 25.
See the link to "Bare Linefeeds in SMTP Messages" for information on this issue.
Error: The remote server did not respond to a connection attempt. - The remote server may be down or there might be network problems preventing the smtp service to reach the server.

Error: The semaphore timeout period has expired. - no info

Error: The connection was dropped by the remote host. - The remote server may experience difficulties, it may have policies configured in regards to what hosts to accept or deny or there might be network connectivity problems (Internet delays).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...